Gathering detailed insights and metrics for koa-session-minimal
Gathering detailed insights and metrics for koa-session-minimal
Installations
npm install koa-session-minimalDeveloper
longztian
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
>= 14
Typescript Support
No
Node Version
18.0.0
NPM Version
8.6.0
Statistics
75 Stars
96 Commits
13 Forks
3 Watching
1 Branches
2 Contributors
Updated on 05 Mar 2023
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
262,743
Last day
30%
52
Compared to previous day
Last week
1.5%
264
Compared to previous week
Last month
-12.3%
1,301
Compared to previous month
Last year
-29.6%
17,634
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
3
Versions
koa-session-minimal
Native Koa 2 session middleware, inspired by and compatible with koa-generic-session. This can be used as a drop-in replacement for koa-generic-session in Koa 2.
This rewrite implements koa-generic-session's essential interfaces, with around 100 lines of code in ES6. It supports existing session stores for koa-generic-session.
Version 4+ requires node 8+. Please use v3.0.4 for node versions older than 8.
Minimum features and storage usage
This middleware guarantees the following:
- Minimum data generation and storage. No session data modification / pollution.
- Neither a cookie nor a session store record is created unless session data gets populated by other middlewares.
- Cookie options are not saved in the
ctx.sessionobject or session store (try to address this concern).
- Minimum updates on cookie and session store. Cookie and session store only get updated when session data has been changed.
- When
ctx.sessiongets updated (is a non-empty object), cookie and store data will be updated with new values and new expiration time (maxAge). - When
ctx.sessiongets cleared (= {}ornull), cookie and store data will be deleted. - If a session has not been updated within
maxAge, its data will be expired.
- When
- Minimum public interfaces and configuration options.
- Cookie options:
maxAge,path,domain,secure,httpOnly - Session interfaces:
session,sessionHandler { regenerateId() } - Store interfaces:
get(),set(),destroy()
- Cookie options:
Installation
1$ npm install koa-session-minimal
Usage
1const Koa = require('koa') 2const session = require('koa-session-minimal') 3const redisStore = require('koa-redis') 4 5const app = new Koa() 6 7app.use(session({ 8 store: redisStore() 9})) 10 11// count middleware, increment when url = /add 12app.use(async (ctx, next) => { 13 ctx.session.count = ctx.session.count || 0 14 if (ctx.path === '/add') ctx.session.count++ 15 16 await next() 17 18 ctx.body = ctx.session.count 19}) 20 21app.listen(3000)
Interfaces
- session data via
ctx.session(the same way askoa-generic-session) - session methods via
ctx.sessionHandlerregenerateId(): regenerate session id
Options
key: session cookie name and store key prefixstore: session storecookie: cookie options, can be an object (static cookie options) or a function that returns an object (dynamic cookie options). OnlymaxAge,path,domain,secure,httpOnlyare supported as option keys (see option details incookiesmodule).
Session expiration
Default session has settings cookie.maxAge = 0 for cookie and ttl = ONE_DAY for session store, means that a session will be expired in one of the following circumstances:
- A user close the browser window (transient cookie ends)
- Session data hasn't been updated within
ONE_DAY(storage expires)
With settings that cookie.maxAge > 0, the ttl for store data will be always the same as maxAge.
Dynamic session expiration (cookie options)
When setting cookie option to a plain object, all sessions will use the same cookie options. If a function is assigned to cookie, cookie options will be dynamically calculated at each (non-empty) session's saving stage.
For example, you can use an arrow function to set different maxAge for user and guest sessions, as below:
1session({ 2 cookie: ctx => ({ 3 maxAge: ctx.session.user ? ONE_MONTH : 0 4 }) 5})
Session security
Middlewares are recommended to call sessionHandler.regenerateId() during authentication state change (login). This middleware provides the essential interface, It will be other middleware's decision on when and how often they want to roll the session id.
NOTE: Below is mostly copied from
koa-generic-session's README, because the two middlewares share the same store interfaces. Any store that implementskoa-generic-session's store interfaces should also work withkoa-session-minimal.koa-redisis tested as an example intest/store_redis.test.js
Session store
You can use any other store to replace the default MemoryStore, it just needs to follow this api:
get(sid): get session object by sidset(sid, sess, ttl): set session object for sid, with a ttl (in ms)destroy(sid): destroy session for sid
the api needs to return a Promise, Thunk, generator, or an async function.
Stores presented
- koa-redis to store your session data with redis.
- koa-mysql-session to store your session data with MySQL.
- koa-generic-session-mongo to store your session data with MongoDB.
- koa-pg-session to store your session data with PostgreSQL.
- koa-generic-session-rethinkdb to store your session data with ReThinkDB.
- koa-sqlite3-session to store your session data with SQLite3.
- koa-generic-session-sequelize to store your session data with the Sequelize ORM.
License
MIT
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
6 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Reason
Found 0/30 approved changesets -- score normalized to 0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no SAST tool detected
Details
- Warn: no pull requests merged into dev branch
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Score
2.3
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More